Relying on traditional application security testing (AST) solutions like Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) too frequently leads to headaches and insecure web applications.
Applications are increasingly being targeted
- The number of data breaches caused by an exploited vulnerability rose 180% year-over-year.1
- 50% increase in zero days being exploited year-over-year.2
- Less than 6% of applications have no flaws.3
Application vulnerabilities are not being adequately addressed
- 55 days after a third-party library vulnerability fix is released, half of applications continue using the unfixed version.4
- 48% of third-party flaws and 41% of first-party flaws are not remediated within 12 months.5
Legacy AppSec solutions have high false-positive rates
- For some tools and some languages, SAST’s false-positive rate is over 68%. 6
- NIST has found that SAST’s false-positive rate is as high as 78% for Java.7
- Per the OWASP Benchmark, DAST tools have a false-positive rate of 82%.8
- A high false-positive rate slows down remediation efforts, as dealing with 240 issues requires a full week’s worth of effort.9
Why are false positives so damaging?
- Wasted time and remediation effort
- Erodes trust in tooling, and can damage trust between security and developers
SAST and DAST take too long
- DAST tools may need up to 4 hours to scan some critical applications.10
- Mean time to remediation (MTTR) for some leading AST solutions is 298 days.11
- 41% of first-party flaws are
not remediated within 12 months.12
The difference that Interactive Application Security Testing (IAST) brings
- Up to 3x faster remediation times11
- 156% reduction in false positives.12
- 155% faster MTTR compared to leading AST solutions.13
Business benefits of IAST
| |
|
| Cost to triage all SAST/DAST results14 |
$60,394,464 |
| Cost to triage all IAST results |
$0 |
Contrast Security is the single best solution for optimizing for efficacy with a 100% true positive rate, per OWASP Benchmark.15
1 https://www.verizon.com/business/resources/reports/dbir/
2 https://cloud.google.com/blog/topics/threat-intelligence/2023-zero-day-trends
3 https://www.veracode.com/sites/default/files/2024-02/SOSS-Re-
port-2024.pdf?mkt_tok=NzkwLVpLVy0yOTEAAAGSbg3DHS_qVqteuMfnVaofr6H8E7jv5dTpjin5zH1f37SmyDfz1e3SvRkWaOr2w2fWRTVO7DlMUwjSYVQXljqj8jaY4uSr-h4M Uil2q1g1CNMJ3XY
4 Verizon DBIR
5 2024 Veracode State of Software Security Report
6 https://personal.utdallas.edu/~lxz144130/publications/icst2016.pdf
7 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-326.pdf
8 https://owasp.org/www-project-benchmark/
9 https://www.securitycompass.com/blog/safeguarding-software-quality-tackling-false-negatives-with-security-by-design/
10� https://docs.veracode.com/r/getting-started-with-crashtest-security
11 https://info.veracode.com/report-state-of-software-security-volume-12.html
12�2024 Veracode State of Software Security Report
13 https://www.contrastsecurity.com/customer-success/unit-4
14 IBID
15 Contrast Security internal data, https://info.veracode.com/report-state-of-software-security-volume-12.html
16 Results from one Fortune 100 Insurance Company from 2022
17 https://owasp.org/www-project-benchmark/
